certificatesDuration not being honored with smallstep

Traefik Traefik v3 (latest)
1

We are using traefik 3.0.3 with our internal smallstep CA and it's working perfectly to issue certificates. However, when we try to customize our certificatesDuration option... it doesn't request and get issued certificates with the correct duration... but the default duration configured on our step CA.

2

Can you provide more details, a reproducible example?

3

Sure... this is my docker-compose for our traefik install:

version: '3'
services:
  traefik:
    container_name: traefik
    image: traefik
    restart: always
    command:
      - "--api.insecure=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.traefikresolver.acme.caserver=https://step.example.com/acme/acme/directory"
      - "--certificatesresolvers.traefikresolver.acme.certificatesDuration=48"
      - "--certificatesresolvers.traefikresolver.acme.email=support@example.com"
      - "--certificatesresolvers.traefikresolver.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.traefikresolver.acme.tlschallenge=true"
      - "--log.level=DEBUG"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt
    networks:
      - lb_web

networks:
  lb_web:
    external: true

After we added the certificatesDuration option... and restarted traefik and all of the containers using it... new certs were issued... they only had 24hr certs that are the default (but configurable) from our step CA...

Not sure what else to say there... when we use other things with our step CA, such as acme.sh ... we can configure other certificate durations...

4

You config seems according to doc.

Can you trace the network requests to see if the parameter and value are transmitted?

If you think it’s a bug you could open a Github issue. It would probably help if you could also supply a compose for the CA.

5

Yeah, I can clearly see in the StepCA pod logs that the new-order is asking for this:

\"notBefore\":\"2024-06-25T21:30:14Z\",\"notAfter\":\"2024-06-26T21:31:14Z\"

In my current test, I set certificatesDuration=72 ... so, not sure why it's just doing 24h+1m

6

Then you should probably create an official issue.